Why would anyone use Heroku (security-related)?

views:

979

answers:

+2 Q:

Why would anyone use Heroku (security-related)?

Heroku seems great, but most non-trivial applications require authentication, and conventional authentication schemes require an SSL connection, and it's impossible to get https://your_app_name.com (you can only get https://your_app_name.heroku.com).

So if you're using Heroku, is it that:

You don't mind directing users to another domain (seems pretty bad)
You don't mind foregoing SSL for authentication (seems really bad)
Your app doesn't require authentication

Edit: In your answer, please select one of the above options.

You can use a custom domain name in Heroku. This is not included in the free account though. Also Heroku makes it dead simple to deploy Ruby on Rails apps. Deploying a Ruby on Rails application on a cheap hosting provider that only gives you limited if any shell access can be a nightmare. Not mention Heroku's server already preconfigured to optimize Ruby on Rails code, likewise scaling up is just a matter of sliding a scale on the user interface.

2009-07-21 06:37:01

So which one of the options in my question is it? I guess you don't care about SSL?

Horace Loeb 2009-07-21 16:58:46

With Heroku you can use custom domain names (in the free version too). Scaling is easy, very easy, and they are making it better and better (i'm testing memcached and work like a charm, delayed job, the backup system and the git integration are great too). The only problem for me, as you wrote is the SSL...

2009-07-21 15:41:46

How is the lack of SSL not a total show-stopper? Can you give an example of an application that doesn't require it?

Horace Loeb 2009-07-21 16:59:16

OpenID doesn't require ssl on the client to be secure. So, you could use it.

BaroqueBobcat 2009-10-02 16:06:35

+8 A:

Hey, it's James from Heroku. The inability to use SSL with a custom domain is a problem shared by all multi-tenant platforms, due to a fundamental issue with the SSL protocol. A solution is in the works, we'll post details as soon we've finalized the plan.

James at Heroku 2009-07-21 22:09:36

+16 A:

This is now a moot point. According to the documentation (http://docs.heroku.com/ssl), Heroku now allows custom domains to have SSL through two different mechanisms.

There are several SSL options from which to choose, ranging from free to $100/month. Each option has its pros and cons, but they all add SSL capability.

Sixty4Bit 2009-10-10 20:44:38

Yup, this is fixed -- Heroku is amazing

Horace Loeb 2009-10-11 06:29:36

you forgot to mention that ssl on heroku costs $100/month

feydr 2010-10-06 13:51:22

There are several SSL options to choose from. $100/month is the most expensive while free is the least expensive. Each option has its pros and cons, but they all add SSL capability.

Sixty4Bit 2010-10-06 15:36:11

+2 A:

I'm using Twitter's OAuth for authentication on my apps (via twitter-auth).

Generic OpenID or even Facebook Connect would work just as well, as each of these handle the sensitive bits of authentication on somebody else's server.

Authlogic is an authentication gem that has has plugins for each of these methods.

However, SSL is now fully supported on Heroku, if you're willing to pay a price that reflects the difficulty in getting SSL to work in a multi-tenant environment.

phloopy 2009-12-10 09:38:45

ansaurus

tags:

views:

answers:

Why would anyone use Heroku (security-related)?

related questions